particular website is not accessable from LAN

khem thapa · ‎01-15-2014

Hello,

I can't able to access a particular website from LAN eventhough i am able to access all.

Even i tried with static natted ip and there is no result as well.

when i inserted the mux cable directly to my laptop i cud able to access but not throught LAN

I have checked my firewall policy everthing looks ok. If there were certain rules then i would have not able to access more no. 1 site

its a single website i cannot able to access...I tried with static natted ip as well

i did all the troubleshooting but no result.

Is there any1 who had come across with this kind problem.

any help will be appreciated

Thanks

Khem

prateeve · ‎01-15-2014

Hi,

Is there any web-filtering server or url-filtering in your network. Also, please get the output of the following command:

packet-tracer input inside tcp (private ip address) 1025 (ip of website) 80 detailed

- Prateek Verma

khem thapa · ‎01-15-2014

Thanks 4 the reply

no we dont have any web-filtering server or url-filtering.

I even tried the command u mentioned the output is ok i mean all ok..nothing is being blocked.

is there any other way to figure out the problem and get it resolved.

Regards,

Khem

prateeve · ‎01-15-2014

Hi,

In that we could configure captures on firewall to check the whether it is being dropped due to some policy on firewall or not:

access-list test permit tcp ho (private ip) (ip of site) -by private ip I mean your source address

access-list test permit tcp (ip of site) (private ip)

capture capi interface inside access-list test

access-list test1 permit tcp (ip of site) (public ip of inside user)

access-list test1 permit tcp (public ip of inside user) (ip of site)

capture capo interface outside access-list test1

Also along with that configure the asp capture:

capture asp type asp-drop all

You could check whether it is being dropped by ASA or not in asp capture by running following command:

show capture asp | in (ip of site)

Then initiate the traffic and check the captures using following command:

show capture capi

show capture capo

- Prateek Verma

khem thapa · ‎01-15-2014

hi prateek

i did what u said

after doing the above configuartion

when i do sh capture capin

sh capture capin

0 packet captured

0 packet shown

but when i hit sh capture capout i getting replied.

Can u suggest what could be the error

Regards,

Khem,

khem thapa · ‎01-15-2014

hello prateek

after seeing the capin and capout

in capin

my ip hitting the webserver but not geting ack from the server

eg sh capture capin

source ip - 192.168.1.10:55555 203.197.X.X:80

192.168.1.10:55555 203.197.X.X:80

so on

for sh capture capout

source

202.X.X.X:55555 203.197.X.X:80

and so on

i think the problem is m not getiing back the syn ack from the web server

but for all other server geting back the ack from the server

and, i even check the policy and rules as well..

Kindly suggest the best possible way to get rid of this issue.

regards,

Khem

prateeve · ‎01-16-2014

Hi ,

Could you check with the ISP whether that particular websites ip is blocked on their end ? That could be a possibility.

- Prateek Verma

khem thapa · ‎01-16-2014

Hi Prateek,

i connected my laptop at router but it is accessable.

i even had a conversation with ISP and they said it is perfect.

when i tried with wireshark to trace the packet.

i came to know that i am not getting back the acknowlege from the server

when i send SYN to server, not getting the ACK(According to the firewall and wireshark)

But when i access the same site from router(directly connected the laptop to router) everything looks perfect.

having problem only to access this particular link.

i did all the troubleshooting which is mentioned by you

sh capture capin

here i m not getting the ACK

sh capture capout

here i am getting ACK from the server

apart from above packet tracer seems ok.

There are no rules as well in firewall

then where is the problem.

thank you 4 responding my issues.

Regards,

Khem